Emergency WAF Release

Cloudflare released an emergency security update to its Web Application Firewall (WAF) on March 12, 2026, introducing critical new detections for vulnerabilities in Ivanti Endpoint Manager Mobile and a generic cross-site scripting vulnerability.

Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution

The WAF now detects and blocks exploitation attempts for CVE-2026-1281 and CVE-2026-1340, which affect Ivanti EPMM. These vulnerabilities allow attackers to achieve unauthenticated remote code execution through unvalidated user input:

• Vulnerable endpoints: /mi/bin/map-appstore-url and /mi/bin/map-aft-store-url
• The vulnerability stems from Apache RewriteMap directives that pass unsanitized user input directly to Bash scripts
• Bash scripts lack input validation and are susceptible to shell arithmetic expansion attacks
• The new detection rule has been set to Block action (previously Log)

Generic XSS in Content-Security-Policy Header

A new generic detection rule identifies malicious payloads embedded in HTTP request Content-Security-Policy (CSP) headers. This targets scenarios where applications trust and extract values directly from CSP headers without proper validation, enabling attackers to inject malicious scripts or directives that execute during page rendering.

Critical Impact: In environments with server-side caching, poisoned XSS content can be cached and automatically served to all site visitors, exponentially expanding the attack surface.

Action Required

Both new detection rules are now active and blocking by default on Cloudflare-protected properties. If you operate Ivanti EPMM or accept dynamic CSP headers from requests, review your WAF logs for potential blocks and adjust your configuration if needed.